Digital Choke Daynotes

What's a Daynote?

"Daynotes" are daily (usually) journal entries of interesting happening and discussions. They are not 'blogs', which are often just a collection of links to other information (although we do include links occasionally). Daynotes are much more interesting (we hope).

These "Digital Choke Daynotes" were inspired by the collection of daily journals of the "Daynotes Gang" (see sites at .com, .net), a collection of daily technical and personal observations from the famous and others. That group started on September 29, 1999, and has grown to an interesting collection of individuals. Readers are invited and encouraged to visit those sites for other interesting daily journals.

If you have comments, send us an email. A bit more about me is here. You might also enjoy our little story about the death of the 'net.

Reports


Last Week
Next Week
Prior Weeks
email
Bookmark
"Digital Choke" story
 Monday, November 14, 2005       mail    link   the story

Back from a week's vacation to Dan Seto's home state - the island of Maui (although he lives on Oahu). Very relaxing. Got a condo (called Mahana, highly recommended) on the beach on the west end of Maui as part of the package deal ($2800 for two, air fare and condo). Nice one-bedroom condo with kitchen and washer/dryer, and a killer view of the ocean that is just 40 feet from the lanai (back porch). The condo has wireless access, but (much to the surprise of Pam), I didn't fire up the laptop until Wednesday (we arrived the previous Friday). Did the usual tourist stuff: the "road to Hana" (very nice), walks along the beach (warm water), visited the town of Laihana (lots of touristy shopping with a few historical places), the Aquarium (pretty good), and a bit of driving around in the convertable PT Cruiser (nice, but no trunk due to the soft top).

We were up on the fourth floor of the condo, so had a nice view of everything (including a pod of dolphins one day, and a seal, along with the almost daily rainbow). The beach there is sandy and narrow, but offshore is a bit rocky with coral, so not much beach activity or crowds. The weather was nice (temps 70's to 80's, not much humidity, partly cloudy most days). I was watching the local weather dweeb's 10-day forecast one night: all ten days were just about the same, which made me think that being a weatherperson in Hawai'i might be quite easy.

While I did a bit of web surfing there, these items caught my eye when I wandered through my email on returning. Lots of it is may be old news by now, but perhaps you will find an interesting link or two.

I usually don't like to put a bunch of links in these pages. I don't like 'blogs' that consist solely of links to other places. But I'd bet (virtually, of course) that you find at least three links in here that you'll click on. (Note that all links will open new windows, as is the normal practice around here.)

This first "pile of links" is from the SANS group (newsletter subscription info at the end). I like this newsletter because of the comments that are attached to some of the items.

--US Authorities Arrest Alleged Botnet Operator in California
(7/4/3 November 2005)
FBI agents have arrested Jeanson James Ancheta and charged him with spreading a Trojan horse program that allowed him to create a botnet of 400,000 computers. A botnet is a network of compromised computers that can be controlled to send spam or launch distributed denial-of-service attacks (DDoS). Among the zombie computers in his network were some belonging to the US Department of Defense. Mr. Ancheta allegedly took payment from companies whose adware he surreptitiously loaded into their computers. He also allegedly controlled the computers via an IRC channel and advertised their use for sending spam or launching distributed denial-of-service attacks. Mr. Ancheta was scheduled to be arraigned on Monday, November 7, 2005. Two aspects make this case
unique: (1) it is the first time an alleged botnet operator will be prosecuted in the United States, and (2) Mr. Ancheta is accused of using a botnet to make a profit. In the past, people who have created botnets have done so primarily for bragging rights.
http://www.eweek.com/print_article2/0,1217,a=164421,00.asp
http://appserv.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcndaily2&story.id=37514
http://www.computerworld.com/printthis/2005/0,4814,105932,00.html

--Phishing Attack Targets PayPal Users
(4 November 2005)
A new phishing attack is targeting people who use PayPal. The users receive an email message telling them that someone has been trying to access their accounts from a foreign country. The are advised to click on a link that purports to be a PayPal Security Tool executable, but is really a Trojan horse program that modifies the local workstation's DNS settings and deletes itself; when users try to visit PayPal in the future, they are directed to a fraudulently crafted site where the thieves proceed to elicit personal data by asking them to update their accounts. The data requested includes names, Social Security numbers and bank account and routing numbers.
http://www.vnunet.com/vnunet/news/2145545/phishing-attack-payl
[Editor's Note (Grefer): Internet Explorer and Firefox users may benefit from installing the Netcraft Anti-Phishing Toolbar, which provides some basic information about the site a user is visiting, as well as a tentative rating of risk the site may be posing.
(http://toolbar.netcraft.com).]

--Macromedia Urges Patch or Upgrade to Address Flash Player Flaw
(7 November 2005)
Macromedia has warned of an improper memory access flaw in its Flash
Player that affects all Windows versions of Flash Player 6.x and Flash
Player 7.0.19.0 and prior. The current version of Flash Player 8
(8.0.22.0) is not affected. Macromedia recommends that users upgrade
to Flash Player 8, but has also released a patch for Flash Player 7, as
Flash Player 8 is not supported by some older operating systems. The
flaw could be exploited to take control of vulnerable systems.
http://www.computerworld.com/printthis/2005/0,4814,106003,00.html
http://www.techweb.com/wire/security/173500401
http://www.eweek.com/print_article2/0,1217,a=164675,00.asp
http://www.macromedia.com/devnet/security/security_zone/mpsb05-07.html
http://www.macromedia.com/cfusion/knowledgebase/index.cfm?id=d9c2fe33

--Sony Patch Could Crash Windows PCs
(7/4 November 2005)
The patch posted by Sony that uncloaks files in the digital rights
management (DRM) software that comes with certain CDs could crash
Windows computers and may result in data loss. The crash could take
place as the patch is being installed. Researchers had pointed out last
week that the copy protection technology amounts to a rootkit because
of its design. In a separate story, on line gamers are reportedly using
Sony's DRM technology to create undetectable cheating tools.
http://www.techweb.com/wire/security/173500370;jsessionid=W5APTK0P0U5FWQSNDBCSKHSCJUMEKJVN
http://www.theregister.co.uk/2005/11/04/secfocus_wow_bot/print.html
[Editor's Note (Pescatore): This very misguided approach is just another
example (Intuit's attempt at copy protection was an earlier, less
invasive example) of what happens when content owners go too far -
treating your customers as criminals does not pay off. It is also an
example of why, without hardware security improvements in the basic PC
platform, content protection can only go so far.]

 

--PHP 4.4.1 Upgrade Fixes Security Holes
(1 November 2005)
Security flaws in PHP versions 4.4.0 and earlier could allow attackers
to conduct cross-site scripting attacks, circumvent some security
restrictions and potentially compromise systems. Users of the open
source web development environment are urged to update to version 4.4.1.
PHP 5.0.5 seems to be unaffected.
http://www.theregister.co.uk/2005/11/01/php_security_vuln/print.html
http://www.securityfocus.com/brief/30?ref=rss
http://www.php.net/release_4_4_1.php

--Apple Releases Mac OS X 10.4.3
(1 November 2005)
Apple has updated Mac OS X to version 10.4.3; the update includes fixes
for five security vulnerabilities in the operating system and bundled
applications. One of the security flaws could be exploited to
circumvent security restrictions. The update is available for Mac
clients and Mac servers.
http://www.techweb.com/wire/software/173401043%3Bjsessionid=XWKZIT1UMCWLUQSNDBCCKH0CJUMEKJVN
http://www.eweek.com/print_article2/0,1217,a=164124,00.asp
http://docs.info.apple.com/article.html?artnum=302763
http://docs.info.apple.com/article.html?artnum=301984

--SEC Releases Tips for Safeguarding Personal Information and Money Online
(3 November 2005)
The US Securities and Exchange Commission has released a guide for
investors recommending steps they can take to protect their online
brokerage accounts from data thieves. Among the SEC's recommendations
are checking the sites' security certificates, using security tokens
when available, not responding to email asking for personal data, using
strong password practices and logging out completely from accounts.
http://www.sec.gov/investor/pubs/onlinebrokerage.htm

--Increasing Online Banking Also a Boon for Cyber Thieves
(2 November 2005)
USA Today conducted a four-month investigation into online banking and
cyber crime. Over the past two years, financial institutions have made
it easier for customers to conduct business over the Internet; while
some may appreciate being able to make account transfers, pay bills and
apply for credit online, this also makes it easier for thieves to steal
money online. A major problem is that most institutions require only a
user name and password to gain access to accounts. Bank of America
plans to add log-on steps, making it the first major bank in the United
States to deploy an additional layer of authentication. Links to
related stories include information on measures to reduce the risks of
banking online.
http://www.usatoday.com/tech/news/computersecurity/2005-11-02-cybercrime-online-accounts_x.htm
[Editor's Note (Schultz): Kudos go to Bank America for forging ahead
with stronger authentication. Username-password-based authentication is
badly outdated; those who continue using this weak authentication method
will continue to reap the consequences.
(Paller): The Bank of America solution does not offer a significant
increase in protection for consumers. Hackers can capture the images
with a few lines of code in the trojans they have installed to capture
the passwords. It is time for actual two-authentication in the US.
Banks can do it with cell phones or even password lists they mail with
the statements. And many consumers should be very worried about the
banks' failure because banks are refusing to cover losses for businesses
and so any consumer who runs a business from his or =her home could fall
victim to the banks lack of care.]

For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/

Microsoft has a good newsletter for home users. Your "Aunt Minnie" might find this info helpful. Subscribe here: <http://go.microsoft.com/?linkid=4188980>. As an example, here's the links for the articles in the one I got last week.

How to shop online more safely <http://go.microsoft.com/?linkid=4188961>
We all love holiday shopping online--no fighting crowds, jockeying for that perfect parking space, or getting anxious. But before you part with your money, make sure that you're buying from a business that you can count on to deliver the goods. Read on for our tips on how to be safer when you're shopping online.

Security update for November: This month's security update affects Microsoft Windows.

For people with personal computers:
Get updates automatically from Microsoft Update <http://go.microsoft.com/?linkid=4188981>
Learn about the November update <http://go.microsoft.com/?linkid=4188982>
Frequently asked questions about security updates <http://go.microsoft.com/?linkid=4188983>

For IT professionals:
Go to the Security Bulletin Summary on TechNet <http://go.microsoft.com/?linkid=4188984>

For all others:
If you work in a networked office environment, your IT department will keep your computer up to date.

Protect your computer

Get anti-phishing and spam filters with Outlook 2003 SP2 <http://go.microsoft.com/?linkid=4188963>
Help prevent phishing e-mail and spam from getting to your Inbox. Learn how the new Phishing Protection Feature and enhanced Junk E-mail Filter in Microsoft Outlook 2003 Service Pack 2 (SP2) help protect you.

Get the latest in wireless network security <http://go.microsoft.com/?linkid=4188964>
Wi-Fi Protected Access version 2 (WPA2) is the latest version of security for wireless networks. Learn how to install WPA2 on your computers running Windows XP SP2.

----------------------------------------------------------------------

Protect yourself

Help keep your personal information safe when filling out a FAFSA <http://go.microsoft.com/?linkid=4188965>
Do you shop online? Then you surely know how to separate the good e-stores from the bad and the ugly... or do you? Take this quiz and find out!

Are you auction savvy? 10 tips for buyers <http://go.microsoft.com/?linkid=4188966>
Do you shop online? Then you surely know how to separate the good e-stores from the bad and the ugly... or do you? Take this quiz and find out!

----------------------------------------------------------------------

Protect your family

Quiz: Child safety for parents of children ages 2-12 <http://go.microsoft.com/?linkid=4188967>
Whether your kids are just starting to go online or are already Web savvy, you can help to guide their use of the Internet as they grow through different ages and stages in their lives.

Quiz: Child safety for parents of children ages 13-17 <http://go.microsoft.com/?linkid=4188968>
Parents must protect young children from hateful content on the Internet, and teach older kids what to look for in deciding whether a Web site is a hate site. Here are some things you can do to help your kids avoid hateful content online.

----------------------------------------------------------------------

Windows XP Service Pack 2 (SP2) provides better protection against viruses, hackers, and worms, and includes Windows Firewall, Pop-up Blocker for Internet Explorer, and the new Windows Security Center. <http://go.microsoft.com/?linkid=4188954>

----------------------------------------------------------------------

Security resources

----------------------------------------------------------------------

Other newsletters

That's the end of the "pile of links". Did you find three that you clicked on? (Did you even get to the bottom of this list?)

 Tuesday, November 15, 2005       mail    link   the story

I sent this to Dr. Jerry Pournelle (he gets a few more readers than I do):

Reports today in several places about continuing problems with the Sony rootkit. Using their web-based uninstaller appears to open some major security holes in your system. This is a developing story as I write this (800am PST), so further details will be forthcoming.

USA Today is reporting that Sony will be recalling any unsold CD's with that rootkit. The executable-based (downloadable) uninstaller may not have the security problems; this is not quite clear now.

Readers who want to check for the existence of the root kit can use Notepad or similar to create a text file with a filename that starts with "$SYS$". Save it in a known folder, then use Windows Explorer to list files in that folder. If you don't see the file, then you've got the root kit. If the file is there, then the root kit is probably not there (or has been modified).

If you have the rootkit installed, I'd recommend leaving it there for now, but ensure that your anti-virus is current, and be careful (as usual) about "helpful" programs attached to email messages. And I'd install the MS Anti-Spyware program (even in beta form), since there are reports that the next update of that will safely uninstall the rootkit. It appears that current anti-virus programs will detect viruses that try to use the rootkit's ability to hide $SYS$ files.

There's a developing backlash against all Sony products. It may be that this is Sony's "Tylenol" issue, and they don't appear to be handling it very well. (Sony executive: "Most of our customers don't even know what a rootkit is"...so it must be OK to install one, I guess.)

Link to research on the security vulnerability of the web-based uninstall: http://www.freedom-to-tinker.com/?p=927 . Washington Post "Security Fix" column:  http://blogs.washingtonpost.com/securityfix .


The "Security Fix" link has some links that list the CD's with the rootkit; there were 47 at last count (more than Sony is admitting). There's also a link to a guy that claims there are 1/2 million computers with that root kit installed. Since the rootkit 'phones home' when the CD's music is played, he looked at the DNS servers to see how many computers are doing a domain lookup for the rootkit's home site.

There's also a new round of "Sober" virus emails making the rounds today. Protection from your favorite anti-virus vendor may be slow (McAfee is aiming for an update tomorrow, but it may come sooner). At the office here, we block all incoming executables, and have already seen a couple of the new variant. Blocking executables is a great way to prevent the 'zero-day' virus outbreaks. For home users, keeping your email client current should help; as will a rule to block executable attachments. My Outlook 2003 seems to detect most of the incoming junk mail. Of course, I've got Microsoft Update set up for automatic updates.

Be careful out there.....

 Wednesday, November 16, 2005       mail    link   the story

"All my base belongs to Google" (see http://base.google.com/base/search?authorid=1028662).

Yep, Google has gotten into the 'classifieds'. So I posted a couple of entries there to see how it works. Not too bad. I put up three items (two trucks and a trailer), but the above link (which is "all items from Rick Hellewell") only shows the two trucks. Not sure why that is; if you do a search on GoogleBase for "Komfort" (the trailer make), the trailer entries comes up.

And since I put a URL in the entries, the link brings you to the pages here. Although there is a URL for the actual item, it's not "linked"; you have to do a manual cut/paste of the URL to see the GoogleBase entry.

But it was interesting to try out. No responses yet; the listings last for 31 days, so we'll see if I get any response.

On the security front, more "Sony fallout". They are getting hammered pretty hard in the press (rightly so). If they don't handle it right, this will be as bad as the "Tylonal" problem of several years back.

And what do you do if the Sony rootkit is installed on your computer (see above for how to tell)? It's not entirely clear yet, although the folks at F-Secure say this (remember that links around here open up new windows):

The Sony DRM case seems to be getting more and more twisted. Our readers might be wondering what the actual risks are at this point and what they should be doing about them. Here's a short recap.

If you have the Sony DRM with the rootkit (aries.sys) still active, you should consider getting the update to remove the rootkit. Do this by using the standalone executable available here. There are already several malware variants that try to hide with the help of the Sony DRM cloaking.

After this you're left with the rest of the Sony DRM software, which might be vulnerable to local privilege escalation attacks reported by ISS X-Force. To remove the DRM software entirely, you will have to wait for Sony to fix their uninstaller and carefully consider using the new version once it's released.

If you have already used the ActiveX uninstaller that was available until Sony stopped distributing it, you are vulnerable to a remote code execution attack. You should remove the vulnerable ActiveX component. If you want, set a kill-bit for it (the CLSID is {4EA7C4C5-C5C0-4F5C-A008-8293505F71CC}) just to be sure.

I'd sit tight for a bit on removal. Install Microsoft's Anti-Spyware program, then let it take care of it. In the meantime, make sure your anti-virus and Microsoft updates are current.

(later)

Jerry Pournelle's mail blog (a few pages down; BTW, there's some interesting ongoing discussions of Google Print and copyrighted works) had a posting from an anonymous reader working for a state government say that their IT staff says that the Sony rootkit had infected servers and workstations there. I sent along this note:

Regarding your entry in Wednesday's mail from the anonymous state employee and their IT dept claiming that "our servers and workstations have been infected with Sony's rootkit DRM" .

It is true that the Sony rootkit 'phones home' almost continually during music playback (every 30 seconds, I think, which causes some high utilization on the user's computer and some extra web traffic). The "phone home" sites are http://connected.sonymusic.com , http://updates.xcp-aurora.com and http://license.suncom2.com , if you want to check your web logs.

But a Sony rootkit-infected workstation will *not* infect *other* workstations or servers. If the rootkit got on a server, it was because somebody played a Sony CD on the server and allowed the rootkit to install. The rootkit will only infect the computer that the CD is played on.

There are several Trojan viruses being emailed that will are using the same technique of hiding their malware files, and that malware will infect other systems through the usual means (along with installing additional programs and keystroke-catchers, etc). But you have to install those Trojans by opening an executable attachment.

Readers might try wandering over to the "Boycott Sony" blog here: http://www.boycottsony.us . And the F-Secure (antivirus) folks have recommendations on what to do if your computer has been "0wned" by Sony here http://www.f-secure.com/weblog/archives/archive-112005.html#00000709 .

As for me: the usual precautions: current OS and anti-virus updates, don't open attachments, and be careful about installing software.

Be careful out there.....you could be eaten by grues.

... more later ...
Last Week
Next Week
Prior Weeks
mail
bookmark
The Digital Choke story
Visitors